Why I regenerated my SSH key and maybe you should too

Why I regenerated my SSH key and maybe you should too

security

I think we all agree it’s a good practice to regenerate your SSH key from time to time. Not sure about you, but the first thing that comes to my mind when I think about that is: it’d take forever to replace my key in all servers I need to access, all online services that use my key, etc.

Overcoming my laziness, I decided at least to list every place I’d have to update it. Interesting fact: it turned out that it was pretty much a small list:

  • Servers
  • Github
  • BitBucket
    • Although now it looks more reasonable, I was still lazy to do it. Then, a few days ago, I noticed that Github recommends the use of HTTPS instead of SSH for Git repositories syncs:

      Github - HTTPS vs SSH

      What does one thing have to do with another? Well, by using HTTPS, you don’t need to upload your SSH key to Github (check this out: mine isn’t longer at Github). BitBucket also supports it, which means I’d be able to regenerate my SSH key without having to upload it again to these services.

      Servers

      What’s left? Servers! From now on, every time I realise it’s time to regenerate my SSH key, all I need to update are the servers. I ended up making a list of servers that I’d need to update and found out in the end it wasn’t a big list and it’d be way easier than I thought it would.

      Let’s face the truth: I had been using the same SSH key in the last 5 years or so and it’d be totally worth it to ensure my security as well as the security of the projects from the company I work for.

      Becoming safer

      There’s more! This is the interesting part of this post: I’ve changed other things that made everything even safer:

      1. My new SSH key uses 4096 bitsrecommended by Github – instead of the default (2048 bits).
      2. As I mentioned before, I’ve changed all my local repositories to use HTTPS instead of SSH (see how in the end of this post).
      3. I’m now using a personal access token rather than my Github password (you can create it here), along with two-factor authentication, which I was already using.
      4. Cool, but would I need to type this token every time? Nope. There’s a nifty tool called ssh-agent that can save your token. If you’re using OS X, it’s even easier: Keychain can save and encrypt your token for you.
      5. My SSH key now has a passphrase, also saved encrypted in OS X’s Keychain, which means I don’t need to type it every time either.

      HTTPS is faster!

      According to some tests I made here, HTTPS is faster than SSH:

      # SSH
      $ time git clone git@github.com:rails/rails.git
      # 24.28s user 9.56s system 49% cpu 1:08.20 total
      
      # HTTPS
      $ time git clone https://github.com/rails/rails.git
      # 13.52s user 6.41s system 39% cpu 50.730 total
      

      In order to use HTTPS in my Git repos, do I need to re-clone every project?

      Nope. Just edit the file .git/config (within your project folder) and replace:

      url = git@github.com:username/repo.git

      with:

      url = https://github.com/username/repo.git

      Conclusion

      Regenerating your SSH key every now and then isn’t painful as you think it is. I’d recommend doing it every 3 years or even less if you’re paranoic or you work on something critic.

  • Denis Lins

    Using https over ssh is way slower. I personally would rather regenerate my keys when I need than slow down something I use pretty much all day.

  • lucascaton

    It was the opposite here, HTTPS has been faster, I’ve using for 3 days now :-)

    $ time git clone git@github.com:rails/rails.git

    git clone git@github.com:rails/rails.git 24.28s user 9.56s system 49% cpu 1:08.20 total

    $ time git clone https://github.com/rails/rails.git

    git clone https://github.com/rails/rails.git 13.52s user 6.41s system 39% cpu 50.730 total

  • Denis Lins

    I did some tests as well, and to my surprise, it was indeed faster.

    I remember I switched to ssh some time ago because it was slower than https. Maybe it was only true for my repo at the time, or maybe some improvements have been made at the git core or github… I don’t really know.

    Anyway, thanks for pointing out!

  • Denis Lins

    I did some tests as well, and to my surprise, it was indeed faster.

    I remember I switched to ssh some time ago because it was slower than https. Maybe it was only true for my repo at the time, or maybe some improvements have been made at the git core or github… I don’t really know.

    Anyway, thanks for pointing out!

  • That’s odd… I had the same feeling about ssh being faster. Anyway, let’s give it a try.

Comments are closed.